Android devices and apps affected by Heartbleed: Check if your smartphone is vulnerable

Heartbleed, a vulnerability in the OpenSSL software library allows an attacker to steal data directly from the memory space of an application. It taps into heartbeats that an SSL/TLS connection produces and any attacker could learn the private keys used to keep data securely encrypted as it travels over the Internet. As soon as word got out the major companies were ready with update version that plugged the bug, but the scale of Heartbleed-affected websites is humungous. As much as two-thirds of the Web is said to be affected, given how popular SSL encryption is. In fact, even mobile apps have built in encryption so that you can log in safely. So naturally mobile devices will also be affected. Apple has said its iOS is safe from HeartBleed-based attacks, but that’s not the case with all Android devices.

Google has said that nearly all versions of AOSP from 4.1 and up contain vulnerable versions of OpenSSL, but all except one had heartbeats turned off, so no one could attack these systems. Only Android 4.1.1 had the heartbeat feature turned on, so those devices are vulnerable. Moreover, some OEMs may have switched heartbeat feature back on in their phone’s software, which leaves them vulnerable too. So how does one check if your phone or any of the apps on it can fall prey to a HeartBleed attack?

It’s important that if you find any apps that do show a vulnerability, then you report it on the Play Store in the app’s review section and also shoot off an email to the developers. The emails are provided in the Play Store listing. You can continue using an app which is shown as vulnerable, though your data might not be all that secure, now that HeartBleed technique has hit the news and anyone can try to break in.